JP4615435B2 - Network relay device - Google Patents

Description

  The present invention relates to a network relay device that interconnects different networks, and more particularly to a network relay device that enhances security when a communication terminal connected to one network performs multicast communication.

  A gateway device that is a network relay device includes, for example, a LAN (Local Area Network) built in a home and a network built by an Internet service provider, a LAN built in an office, a corporate trunk network, and the like. Network).

  Generally, a gateway device uses an IP to simplify IP address setting in a communication device connected to a LAN side, in addition to a router function that transfers an IP packet based on a destination address in an IP (Internet Protocol) packet. DHCP (Dynamic Host Configuration Protocol) server function for automatically issuing addresses, private IP addresses used by communication devices connected to the LAN side to use IP address resources efficiently, and globals used on the WAN side A NAT (Network Address Translation) function for converting IP addresses is provided.

The gateway device also has a DNS (Domain Name System) for relaying control protocol messages used by the LAN-side communication device and the WAN-side communication device in TCP / IP (Transmission Control Protocol / Internet Protocol) communication. And IGMP (
It has a proxy function such as Internet Group Management Protocol.

  On the other hand, the WAN connected to the gateway device sets a virtual group independent of the physical connection form, and configures a VLAN (Virtual Local) that configures the network without being aware of the physical location of the connected communication terminal. Area network). For this reason, various techniques related to a gateway device corresponding to a VLAN have been conventionally considered.

  For example, Patent Document 1 discloses a technique related to a gateway device having a control function for connecting a specific VLAN and a communication terminal used by a user according to a user authentication result. Specifically, the authentication information transmitting / receiving unit receives authentication information for authenticating the user from the communication terminal, and the authentication requesting unit transmits to the authentication server in the authentication network according to the authentication information received by the authentication information transmitting / receiving unit. When an authentication request is made and the authentication response means receives authentication response information representing a response to the authentication request from the authentication server, and the authentication response information received by the authentication response means indicates successful authentication, the user authorization means The virtual network and the communication terminal used by the user are connected according to the virtual network identification information for identifying the virtual network corresponding to the user. That is, the gateway device is configured to connect a plurality of LAN-side communication terminals after obtaining authentication to different WANs logically separated for each communication terminal.

  Thus, all communication terminals on the LAN side belong to the same network, but these LAN side communication terminals can be connected to different WANs when authenticated. In other words, an unauthenticated LAN-side communication terminal for connecting to a WAN cannot connect to the WAN. Therefore, the communication terminal on the LAN side can share a device such as a printer connected to the LAN, and can connect to a WAN that provides different services for each communication terminal after authentication.

  In addition, even when duplicate IP addresses are used in different WANs, there is a secondary effect that the authenticated communication device on the LAN side can be connected only to the target WAN.

JP 2005-149337 A

  However, the conventional gateway device described in Patent Document 1 relates to forwarding of IP multicast traffic from the WAN side when relaying IP packets after authenticating the communication terminal on the LAN side and connecting to each different WAN. , Including some problems.

  A gateway device having a normal IP multicast transfer function transfers IP multicast traffic from the WAN side in a form that can be received by all communication terminals on the LAN side. For this reason, the communication terminal on the LAN side receives multicast traffic from the WAN that is not connected.

  Patent Document 1 does not disclose a technique related to multicast traffic transfer. When the gateway device described in Patent Document 1 forwards multicast traffic by a normal IP multicast forwarding function, even if the LAN side communication terminal authenticates that only a specific WAN is connected, the multicast from the WAN side As for traffic, multicast traffic from a WAN that has not undergone connection authentication is transmitted to a communication terminal on the LAN side. As a result, the communication terminal on the LAN side can receive multicast traffic from a WAN that has not been authenticated for connection. That is, with the prior art described in Patent Document 1, the authentication result cannot be taken into account for multicast traffic from the WAN side, and security cannot be improved by making full use of the authentication function. was there.

  Further, since the conventional gateway device transfers multicast traffic from a plurality of WANs in a form that can be received by all communication terminals on the LAN side, the communication terminal on the LAN side may receive the multicast traffic by mistake. There was a system problem. For example, when the gateway device is connected to the same network such as the Internet via a plurality of WANs to which the gateway device is connected, multicast traffic from the multicast distribution device on the network is transmitted to the gateway device via the plurality of WANs. When input, duplicate multicast traffic is transferred to the communication terminal on the LAN side, and the communication terminal on the LAN side may receive the same multicast traffic in duplicate.

  Furthermore, since the conventional gateway device transfers the IP multicast traffic from the WAN side in a form that can be received by all communication terminals on the LAN side, the IP multicast traffic in the LAN is unnecessarily increased and the performance as a communication system is degraded. There was also a problem.

  The present invention has been made in view of the above, and to a communication terminal participating in a multicast group, forwards only a multicast IP packet from a network whose connection is authenticated with the communication terminal. The object is to obtain a device.

  In order to solve the above-described problems and achieve the object, the present invention provides a network between a first network to which one or more communication terminals are connected and a second network in which a plurality of virtual networks are constructed. Arranged, and the communication terminal has an authentication processing unit for authenticating connection to at least one of the plurality of virtual networks, and the communication terminal is connected to the virtual network only when authenticated by the authentication processing unit. In the network relay device for transferring an IP packet, an authentication information table in which a virtual network whose connection is authenticated by the authentication processing unit is registered in association with the communication terminal, and the reception interface of the IP packet is associated with the communication interface. An interface table in which a virtual network accommodated by the receiving interface is registered; and the virtual network A multicast routing table in which physical or logical interfaces of the multicast group are registered in the virtual network in association with the network and the multicast group, and in the virtual network in association with the virtual network and the destination IP prefix. When the physical or logical interface of the destination IP prefix is registered, and when the IP packet to be relayed is a multicast IP packet, the authentication information table and the multicast routing table are used for IP. When a packet transmission destination is selected and the IP packet to be relayed is an IP packet different from multicast, the interface table and the Select the destination of IP packets with computing table, characterized in that it comprises a routing processing unit that transmits the IP packet to the selected destination.

  According to the present invention, the multicast routing table in which the physical or logical interface of the multicast group is registered in the virtual network in association with the virtual network and multicast group whose connection with the communication terminal is authenticated. In the case of forwarding a multicast IP packet from a network in which a plurality of virtual networks are constructed, a multicast network based on the virtual network that has received the multicast IP address, the multicast group address of the multicast IP packet, and the multicast routing table Since the destination of the IP packet is selected, the connection with the communication terminal is authenticated for the communication terminal participating in the multicast group. Make it possible to transfer only multicast IP packets from Ttowaku, it is possible to improve the security of the communication system is an effect that it is possible to obtain a network relay device.

  Embodiments of a network relay device according to the present invention will be described below in detail with reference to the drawings. Note that the present invention is not limited to the embodiments.

Embodiment 1 FIG.
A first embodiment of the present invention will be described with reference to FIGS. FIG. 1 is a diagram showing a configuration of a gateway device that is a network relay device according to Embodiment 1 of the present invention, and a configuration of a communication system to which the gateway device is applied. In FIG. 1, the communication system includes a LAN (Local Area Network) 3 having one or a plurality of (in this case, three) communication terminals 31-1 to 31-3 and a plurality of (in this case, three) VLANs (three in this case). Virtual Local Area Network) 51-1 to 51-3 are arranged between the WAN (Wide Area Network) 5 and the LAN 3 and WAN 5, and the VLAN 51 of the communication terminals 31-1 to 31-3 in the LAN 3 -1 to 51-3, and the gateway device 1 that transfers IP (Internet Protocol) packets between the communication terminals 31-1 to 31-3 and the VLANs 51-1 to 51-3 that have been authenticated. .

  The communication terminals 31-1 to 31-3 are, for example, communication devices such as personal computers, IP (Internet Protocol) telephones, TV broadcast receivers, and the like, network interface functions of the LAN 3, and TCP / IP (Transmission Control Protocol / Internet). A communication function based on the Protocol), and connected to the VLANs 51-1 to 51-3 via the gateway device 1 to communicate with a communication terminal or server (not shown) connected to the VLANs 51-1 to 51-3. Communicate.

  Communication between the communication terminals 31-1 to 31-3 and the gateway device 1, that is, communication on the LAN 3 side, is a general Ethernet (registered trademark) including an IP packet based on TCP / IP. (Registered trademark) frame (hereinafter referred to as layer 2 frame) is used. Specifically, the layer 2 frame includes a MAC header having a destination MAC address, a source MAC address, and a data length, a version, an Internet header length, a service type, a total length, an identifier, a flag, a fragment offset, and a protocol type. , A header checksum, a source IP address, an IP header having a destination IP address, and data.

  The VLANs 51-1 to 51-3 are physical or logical networks (virtual networks) to which the communication terminals 31-1 to 31-3 are connected. Hereinafter, VLANs 51-1 to 51-3 will be described on the premise that they are VLANs defined by IEEE (Institute of Electrical and Electronic Engineers) 802.1Q. However, the gateway device 1 is a network that can selectively communicate. For example, an LSP (Label Switched Path) in MPLS (Multi-Protocol Label Switching) or a PPP (Point-to-Point Protocol) connection may be used.

  Communication between the VLANs 51-1 to 51-3 and the gateway device 1, that is, communication on the WAN 3 side, is a general Ethernet (registered trademark) frame with a VLAN tag including an IP packet based on TCP / IP ( Hereinafter, a tagged layer 2 frame) is used. Also. The tagged layer 2 frame has a VLAN tag in which information on the VLAN including the VLAN identifier is set between the transmission source MAC address and the data length of the MAC header of the layer 2 frame described above.

  The gateway device 1 includes an authentication processing unit 11, an IGMP (Internet Group Management Protocol) proxy processing unit 12, a routing processing unit 13, a storage unit 14, and a plurality of (in this case, four) ports 15-1 to 15-4. I have.

  The ports 15-1 to 15-4 have functions of a network interface of the LAN 3 to which the communication terminals 31-1 to 31-3 are connected and a network interface of the VLANs 51-1 to 51-3. In FIG. 1, the port 15-1 accommodates the communication terminal 31-1, the port 15-2 accommodates the communication terminal 31-2, the port 15-3 accommodates the communication terminal 31-3, and the port 15- 4 accommodates the VLANs 51-1 to 51-3. Here, the network interfaces of the LAN 3 and the VLANs 51-1 to 51-3 are Ethernet (registered trademark), but are not limited thereto. The network interface may be wired or wireless, and the communication speed is not particularly limited.

  The storage unit 14 stores information necessary for the gateway device 1 to transfer an IP packet. In FIG. 1, a connection information table 141, an authentication information table 142, a multicast participation state information table 143, a multicast routing table 144, a routing table 145, an interface table 146, and a port table 147 are stored.

  In the connection information table 141, information necessary for access authentication of the user who uses the communication terminals 31-1 to 31-3 and the communication terminals 31-1 to 31-3 is registered. FIG. 2 shows registration items for the connection information table 141. In this example, user names and passwords are listed as the registration items. In the user name, a user identifier for identifying a user who uses the communication terminals 31-1 to 31-3 is registered. The password is associated with the user name, and a password for authenticating the user identifier registered in the user name is registered.

  In the authentication information table 142, information necessary for identifying a network to which the communication terminals 31-1 to 31-3 used by the authenticated user are connected is registered. FIG. 3 shows registration items for the authentication information table 142. Here, terminal information and VLAN information are listed as the registration items. In the terminal information, terminal identifiers for identifying the communication terminals 31-1 to 31-3 are registered. Examples of the terminal identifier include IP addresses and MAC addresses of the communication terminals 31-1 to 31-3, port identifiers assigned to the ports 15-1 to 15-3 that accommodate the communication terminals 31-1 to 31-3, and the like. Used. The VLAN information is associated with the terminal information, and a network for identifying the VLANs 51-1 to 51-3, which are the networks to which the communication terminals 31-1 to 31-3 having the terminal identifier registered in the terminal information are connected. A VLAN identifier which is an identifier is registered.

  In the multicast participation state information table 143, information on multicast groups in which the communication terminals 31-1 to 31-3 participate is registered. FIG. 4 shows registration items for the multicast participation state information table 143. Here, terminal information and destination multicast group information are listed as the registration items. In the terminal information, a terminal identifier for identifying the communication terminals 31-1-1-1 to 31-3 is registered. The destination multicast group information is associated with the terminal information, and the multicast group identifier for identifying the multicast group in which the communication terminals 31-1 to 31-3 having the terminal identifier registered in the terminal information participate is registered. . Here, a multicast group address is used as the multicast group identifier.

  In the interface table 146, as shown in FIG. 5, the correspondence between the IP packet reception interface and the network information is registered. FIG. 5 shows a case where the physical or logical network on the WAN 5 side shown in FIG. 1 is VLANs 51-1 to 51-3. The reception interface and network information include VLAN identifiers of VLANs 51-1 to 51-3. Is registered.

  The multicast routing table 144 registers information necessary for routing processing when forwarding multicast IP packets. FIG. 6 shows registration items for the multicast routing table 144. Here, VLAN information, destination multicast group information, and route information are listed as the registration items. In the VLAN information, VLAN identifiers for identifying the VLANs 51-1 to 51-3 are registered. In the destination multicast group information, a multicast group identifier for identifying which multicast group is an IP packet to be transferred is registered. In FIG. 6, a multicast group address is used as the multicast group identifier. The route information is associated with the VLAN information and the destination multicast group information, and in the VLAN indicated by the VLAN identifier registered in the VLAN information, the physical of the multicast group indicated by the multicast group identifier registered in the destination multicast group information, or A logical interface is registered. Here, terminal identifiers for identifying the communication terminals 31-1 to 31-3 participating in the multicast group indicated by the multicast group address registered in the destination multicast group information are registered as route information.

  In the routing table 145, information necessary for routing processing when an IP packet different from the multicast IP packet is transferred is registered. FIG. 7 shows registration items for the routing table 145. In this example, VLAN information, destination IP prefix information, and route information are listed as the registration items. In the VALN information, VLAN identifiers for identifying the VLANs 51-1 to 51-3 that transmit IP packets are registered. In the destination IP prefix information, the destination IP prefix of the IP packet is registered. The route information is associated with the VLAN information and the destination IP prefix information. In the VLANs 51-1 to 51-3 indicated by the VLAN identifiers registered in the VLAN information, the destination IP prefix registered in the destination IP prefix information is The indicated physical or logical interface is registered. Here, VLAN identifiers, MAC addresses of the communication terminals 31-1 to 31-3, port identifiers that accommodate the communication terminals 31-1 to 31-3, and the like are used as route information.

  In the port table information, information necessary for selecting the ports 15-1 to 15-3 that output IP packets is registered. FIG. 8 shows registration items for the port table 147. Here, port information and connection information are registered as the registration items. In the port information, port identifiers for identifying the ports 15-1 to 15-4 are registered. The connection information is associated with the port information, and terminal identifiers for identifying the communication terminals 31-1 to 31-3 accommodated by the ports 15-1 to 15-4 indicated by the port identifiers registered in the port information , VLAN identifiers for identifying the VLANs 51-1 to 51-3 are registered.

  The authentication processing unit 11 includes an authentication request layer 2 frame (hereinafter referred to as an authentication request frame) and a disconnection request layer 2 frame (hereinafter referred to as a leave request frame) received from the communication terminals 31-1 to 31-3. Based on the connection information table 141, the communication terminals 31-1 to 31-3 perform access authentication processing for authenticating connections to the VLANs 51-1 to 51-3 and perform registration and deletion processing of the authentication information table 142. Do.

  The IGMP proxy processing unit 12 has a function of managing the multicast participation state information table 143 and the multicast routing table 144 in addition to a general IGMP proxy function. Specifically, the IGMP proxy processing unit 12 performs IGMP communication with the communication terminals 31-1 to 31-3 for the LAN 3, and the multicast in which the communication terminals 31-1 to 31-3 participate. Group information is collected, and registration and update processing of the multicast participation state information table 143 and the multicast routing table 144 are performed based on the collected information. Further, the WAN 5 side performs processing as an independent IGMP host in the VLANs 51-1 to 51-3.

  The routing processing unit 13 selects an IP packet transfer destination based on the authentication information table 142, the multicast routing table 144, the routing table 145, the interface table 146, and the port table 147, and transfers the IP packet.

  Note that the gateway device 1 shown in FIG. 1 describes only the components related to the present invention. Actually, for example, a firewall function, a DNS (Domain Name System) proxy function, a DHCP (Dynamic Host Configuration Protocol) General gateway device functions such as a server function, a DHCP client function, and a NAT (Network Address Translation) function may be provided.

  In addition, when the network constituting the WAN 5 is an LSP or PPP connection in MPLS, it is necessary to provide functions necessary for communication in the relevant logical network. These functions are used for communication in a general logical network. Since this is a required function and not a function related to the present invention, its description is omitted here.

  Next, the operation of the gateway device 1 according to the present invention will be described with reference to FIGS. First, the operation of the authentication process including the registration process of the authentication information table 142 will be described with reference to the flowchart of FIG. When performing communication using the communication terminals 31-1 to 31-1, the user performs a connection process by inputting a user name and a password given in advance. The communication terminals 31-1 to 31-3 transmit an authentication request frame including the input user name, password, pre-assigned terminal identifier, and VLAN identifier to the gateway device 1.

  When receiving the authentication request frame via the ports 15-1 to 15-3 (step S100), the authentication processing unit 11 of the gateway device 1 extracts the user name and password from the authentication request frame (step S101). The authentication processing unit 11 searches the connection table using the extracted user name and password as a search key (step S102).

  When the user name and password that match the search key are detected (step S103, Yes), the authentication processing unit 11 extracts the terminal identifier and the LVAN identifier from the authentication request frame (step S104). The authentication processing unit 11 registers the extracted terminal identifier and VLAN identifier in the authentication information table 142 (step S105). The authentication processing unit 11 transmits a layer 2 frame including an authentication processing result indicating that the connection has been authenticated to the communication terminal 31-1, and ends the authentication processing (step S106).

  On the other hand, when the user name and password that match the search key cannot be detected (No in step S103), a layer 2 frame including an authentication processing result indicating that connection is not possible is transmitted to the communication terminal 31-1 for authentication. The process ends (step S107).

  Only the communication terminals 31-1 to 31-3 that have been authenticated by this authentication process and registered in the authentication information table 142 can connect to the VLANs 51-1 to 51-3 registered in the authentication information table 142. .

  Note that the connection information table 141 used for authentication may be provided in an authentication server different from the gateway device 1. In this case, the gateway device 1 may have a function of referring to the communication means with the authentication server and the connection information table 141 in the authentication server. As a means for communicating with the authentication server, RADIUS (Remote Authentication Dial In User Service) is generally used. However, any means may be used in the present invention.

  In addition, the VLAN identifier is included in the authentication request frame. However, when there is one VLAN 51-1 to 51-3 connected to the communication terminals 31-1 to 31-3, the VLAN is included in the authentication request frame. You do not have to include the identifier. In this case, a table in which the terminal identifiers of the communication terminals 31-1 to 31-3 and the VLAN identifiers indicating the VLANs 51-1 to 51-3 to which the communication terminals 31-1 to 31-3 are connected is associated with the gateway device 1. And the VLAN identifier may be selected by searching the table based on the terminal identifier in the authentication request frame.

  Next, an operation for deleting the authentication information table 142 will be described. When terminating the communication, the communication terminals 31-1 to 31-3 transmit a leave request frame including a terminal identifier to the gateway device 1.

  When the authentication processing unit 11 of the gateway device 1 receives the leave request frame via the ports 15-1 to 15-3, it extracts a terminal identifier from the leave request frame. The authentication processing unit 11 searches the terminal identifier registered in the terminal information of the authentication information table 142 using the extracted terminal identifier as a search key, and detects a terminal identifier that matches the search key. The authentication processing unit 11 deletes the detected terminal identifier from the terminal information, and deletes the VLAN identifier registered in the VLAN information in association with the terminal information.

  After deleting the terminal identifier and the VLAN identifier from the authentication information table 142, the authentication processing unit 11 notifies the IGMP proxy processing unit 12 of an erasure instruction including the deleted terminal identifier and VLAN identifier. When receiving the erasure instruction, the IGMP proxy processing unit 12 executes erasure processing of the multicast participation state information table 143 and the multicast routing table 144 described later.

  Note that the erasure process of the authentication information table 142 may be executed in response to a reception other than the receipt of the withdrawal request frame. For example, when a deletion instruction input from an input unit (not shown) of the gateway device 1 or communication is not performed within a predetermined time, the communication terminals 31-1 to 31-3 and the gateway device 1 are connected. It may be executed when it is detected that the cable to be disconnected has been disconnected.

  Specifically, when the deletion process of the authentication information table 142 is executed by a deletion instruction input from an input unit (not shown) of the gateway device 1, the administrator uses the input unit to delete communication from the authentication information table 142. A deletion instruction including the terminal identifiers of the terminals 31-1 to 31-3 is input. When receiving the deletion instruction, the authentication processing unit 11 extracts the terminal identifier from the deletion instruction, and executes the deletion process of the authentication information table 142 using the extracted terminal identifier instead of the terminal identifier extracted from the withdrawal request. .

  Further, when the deletion process of the authentication information table 142 is executed when communication is not performed within a predetermined time, the authentication processing unit 11 performs communication terminals 31-1 to 31-31 that have performed the authentication process. The IP packet transferred every 3 is monitored. When the communication terminals 31-1 to 31-3 that have not been communicated within a predetermined time as a result of monitoring are detected, the authentication processing unit 11 detects instead of the terminal identifier extracted from the withdrawal request. The deletion process of the authentication information table 142 is executed using the terminal identifiers of the communication terminals 31-1 to 31-3.

  When detecting that the cable connecting the communication terminals 31-1 to 31-3 and the gateway device 1 has been disconnected and executing the deletion process of the authentication concession table, the authentication processing unit 11 performs link down of the port cable. Is detected from the ports 15-1 to 15-3, and the terminal identifiers connected to the detected ports 15-1 to 15-3 are detected from the port table 147. The authentication processing unit 11 executes the erasure process of the authentication information table 142 using the detected terminal identifier instead of the terminal identifier extracted from the withdrawal request.

  Next, the operation of the registration process of the multicast participation state table and the multicast routing table 144 will be described with reference to the flowchart of FIG. The IGMP proxy processing unit 12 of the gateway apparatus 1 transmits a multicast group inquiry request (IGMP Query message) to the communication terminals 31-1 to 31-3 on the LAN 3 side as IGMP communication. When receiving the multicast group inquiry request, the communication terminals 31-1 to 31-3 participating in the multicast group send a multicast participation request (IGMP Report message) including the terminal identifier and the multicast group address of the participating multicast group. Send.

  When receiving the multicast participation request (step S200), the IGMP proxy processing unit 12 of the gateway device 1 extracts a terminal identifier and a multicast group address from the received multicast participation request (step S201). The IGMP proxy processing unit 12 determines whether or not the set of the extracted terminal identifier and multicast group address has been registered in the multicast participation state information table 143 (step S202). When the set of the extracted terminal identifier and multicast group address has already been registered in the multicast participation information state table, the IGMP proxy processing unit 12 ends the registration process of the multicast participation state table and the multicast routing table 144.

  If the pair of the extracted terminal identifier and multicast group address is not registered in the multicast participation information state table, the IGMP proxy processing unit 12 stores the extracted terminal identifier and multicast group address pair in the multicast participation state information table 143. Register (step S203). Specifically, the terminal identifier extracted in the terminal information of the multicast participation state information table 143 is registered, and the multicast group address extracted in the destination multicast group information is registered.

  The IGMP proxy processing unit 12 selects a VLAN identifier based on the extracted terminal identifier and the authentication information table 142 (step S204). Specifically, the IGMP proxy processing unit 12 searches the terminal identifier registered in the terminal information of the authentication information table 142 using the extracted terminal identifier as a search key, and performs authentication in association with the terminal identifier that matches the search key. A VLAN identifier registered in the VLAN information of the information table 142 is selected.

  The IGMP proxy processing unit 12 registers the selected VLAN identifier, the terminal identifier extracted from the multicast participation request, and the multicast group address in the multicast routing table 144 (step S205). Specifically, the IGMP proxy processing unit 12 searches for VLAN information and destination multicast group information in the multicast routing table 144 using the selected VLAN identifier and multicast group address as search keys. When the VLAN identifier and the multicast group address matching the search key are detected, the IGMP proxy processing unit 12 routes the VLAN information and the destination multicast group information in which the detected VLAN identifier and multicast group address are registered. The terminal identifier extracted from the multicast participation request is added to the information. When the VLAN identifier and the multicast group address that match the search key cannot be detected, the IGMP proxy processing unit 12 registers the selected VLAN identifier in the VLAN information and extracts it from the multicast participation request in the destination multicast group information. The multicast group address is registered, and the terminal identifier extracted from the multicast participation request is registered in the route information.

  After completing the registration process of the multicast participation state information table 143 and the multicast routing table 144, the IGMP proxy processing unit 12 performs IGMP communication with a router connected to the WAN 5 (not shown) as a function of the IGMP host. Do. More specifically, in response to a multicast group inquiry request received via the WAN 5, a multicast that matches the multicast group inquiry content by referring to the multicast participation state information held for the VLANs 51-1 to 51-3 indicated by the WAN 5 Send group join request.

  Next, with reference to the flowchart of FIG. 11, the operation of the deletion process of the multicast participation state information table 143 and the multicast routing table 144 will be described. The IGMP proxy processing unit 12 of the gateway apparatus 1 transmits a multicast group inquiry request (IGMP Query message) to the communication terminals 31-1 to 31-3 on the LAN 3 side as IGMP communication. When receiving the multicast group inquiry request, the communication terminals 31-1 to 31-3 leaving the multicast group transmit a multicast leave request (IGMP Leave message) including the terminal identifier and the multicast group address of the multicast group to leave.

  When receiving the multicast leave request (step S300), the IGMP proxy processing unit 12 of the gateway device 1 extracts a terminal identifier and a multicast group address from the received multicast leave request (step S301).

  The IGMP proxy processing unit 12 deletes the set of the extracted terminal identifier and multicast group address from the multicast participation state information table 143 (step S302). The IGMP proxy processing unit 12 deletes information regarding the terminal identifier registered in the multicast routing table 144 in association with the extracted multicast address (step S303).

  Specifically, the IGMP proxy processing unit 12 searches for the destination multicast group information in the multicast routing table 144 using the extracted multicast group address (deleted from the multicast group participation state information table) as a search key, and matches the search key. The multicast group address to be extracted is extracted. The IGMP proxy processing unit 12 deletes the terminal identifier deleted from the multicast group participation state information table from the route information associated with the extracted multicast group. When another terminal identifier is registered in the route information, the IGMP proxy processing unit 12 ends the deletion processing of the multicast participation state information table 143 and the multicast routing table 144.

  When no other terminal identifier is registered in the route information, the IGMP proxy processing unit 12 uses the multicast group registered in the destination multicast group information associated with the route and the information in which the deleted terminal identifier is registered. The VLAN identifier registered in the address and VLAN information is deleted, and the deletion process of the multicast participation state information table 143 and the multicast routing table 144 is terminated.

  The IGMP proxy processing unit 12 terminates the deletion processing of the multicast participation state information table 143 and the multicast routing table 144 and then performs IGMP communication with a router connected to the WAN 5 (not shown) as a function of the IGMP host. Do. Specifically, in response to a multicast group inquiry request received via the WAN 5, the multicast participation state information held for the VLANs 51-1 to 51-3 indicated by the WAN 5 is referred to match the multicast group inquiry content. Send a multicast group leave request.

  Note that the above-described deletion processing of the multicast participation state information table 143 and the multicast routing table 144 is also executed by a deletion instruction from the authentication processing unit 11 described above. In this case, the IGMP proxy processing unit 12 searches for the terminal information in the multicast participation state information table 143 using the terminal identifier included in the deletion instruction as a search key, and sets the destination multicast associated with the terminal information that matches the search key. The group information may be deleted, and the multicast routing table 144 may be updated using the deleted multicast group address and the terminal identifier included in the deletion process.

  Next, the operation of IP packet transfer processing will be described with reference to the flowchart of FIG. Note that the routing table 145 is created in advance by a general router function. When receiving a frame including an IP packet via the ports 15-1 to 15-4 (step S400), the routing processing unit 13 determines whether the received frame is a tagged layer 2 frame (step S401). ). If the received frame is a tagged layer 2 frame, the routing processing unit 13 selects the VLANs 51-1 to 51-3 based on the interface table 146 (step S402). Specifically, a VLAN identifier that is a reception interface is extracted from the VLAN tag of the tagged layer 2 frame, the reception interface in the interface table 146 is searched using the extracted VLAN identifier as a search key, and the reception interface that matches the search key is set. The VLAN identifier registered in the user network information of the interface table 146 is selected.

  On the other hand, when the received frame is a layer 2 frame, the routing processing unit 13 selects a VLAN based on the authentication information table 142 (step S403). Specifically, terminal information in the authentication information table 142 is searched using the terminal identifier included in the layer 2 frame as a search key, and is registered in the VLAN information of the authentication information table 142 in association with the terminal information that matches the search key. Select a VLAN identifier.

  After selecting the VLAN identifier, the routing processing unit 13 determines whether or not the IP address set in the destination IP address of the IP header of the received frame is a multicast group address (step S404). When the IP address set as the destination IP address is a multicast address, the routing processing unit 13 selects the destination of the IP packet based on the multicast routing table 144 and the port table 147 and transfers the IP packet ( Step S405).

  Specifically, the routing processing unit 13 sets a combination of the VLAN identifier selected using the interface table 146 or the authentication information table 142 and the IP address (multicast group address) set in the transmission destination IP address of the IP header. As a search key, VLAN information and destination multicast group information in the multicast routing table 144 are searched, and a terminal identifier registered in route information in the multicast routing table 144 in association with VLAN information and destination multicast group information that matches the search key To get. The routing processing unit 13 searches the connection information in the port table 147 using the acquired terminal identifier as a search key, and stores the communication terminals 31-1 to 31-3 indicated by the terminal identifiers 15-1 to 15-3. Select the port identifier that indicates. The routing processing unit 13 generates a layer 2 frame including an IP packet by a general router packet transfer process such as subtraction of the survival time in the IP header and recalculation of the checksum, and selects the generated layer 2 frame. It transmits to the ports 15-1 to 15-3 indicated by the identifier.

  On the other hand, when the IP address set as the destination IP address is not a multicast address, the routing processing unit 13 selects the destination of the IP packet based on the routing table 145 and the port table 147 and transfers the IP packet. (Step S406).

  Specifically, the routing processing unit 13 searches for a set of the VLAN identifier selected using the interface table 146 or the authentication information table 142 and the IP address (IP prefix) set in the destination IP address of the IP header. The VLAN information and the destination IP prefix information in the routing table 145 are searched as keys, and the VLAN identifier and the communication terminal 31- registered in the route information in the routing table 145 in association with the VLAN information and the destination prefix information that match the search key. The transmission destination identification information such as the MAC addresses 1 to 31-3 and the port identifiers that accommodate the communication terminals 31-1 to 31-3 are acquired. The routing processing unit 13 performs the longest match search for the destination IP prefix information.

  When the identification information of the transmission destination indicates itself, the routing processing unit 13 performs processing based on the data of the IP packet without transmitting the IP packet. When the destination identification information indicates the communication terminals 31-1 to 31-3, the routing processing unit 13 performs IP transfer by general router packet transfer processing such as subtraction of the lifetime in the IP header and checksum recalculation. A layer 2 frame including the packet is generated. When the destination identification information indicates the WAN 5 side, the routing processing unit 13 generates a tagged layer 2 frame including the IP packet by a general router packet transfer process such as checksum recalculation. The VLAN identifier selected using the authentication information table 142 is set in the VLAN tag of the tagged layer 2 frame. When the identification information of the transmission destination is a port identifier, the routing processing unit 13 transmits the generated layer 2 frame or tagged layer 2 frame to the ports 15-1 to 15-4 indicated by the port identifier. If the identification information is not a port identifier, the connection information in the port table 147 is searched by using the identification information of the transmission destination as a search key, the port identifier is selected, and the ports 15-1 to 15-4 indicated by the selected port identifier The generated layer 2 frame or tagged layer 2 frame is transmitted.

  As described above, in the first embodiment, the VLANs 51-1 to 51-3 and the multicast groups, which are virtual networks for which connections with the communication terminals 31-1 to 31-3 are authenticated, are associated with each other. A multicast from the WAN 5 in which the VLANs 51-1 to 51-3 are provided with a multicast routing table 144 in which route information that is a physical or logical interface of the multicast group is registered in the VLANs 51-1 to 51-3. When the IP packet is transferred, the multicast IP packet is based on the VLANs 51-1 to 51-3 that have received the multicast IP address, the multicast group address of the multicast IP packet, and the multicast routing table 144. Since the transmission destination is selected, the VLAN 51-1 whose connection with the communication terminals 31-1 to 31-3 is authenticated with respect to the communication terminals 31-1 to 31-3 participating in the multicast group. It is possible to transfer only the multicast IP packets from ˜51-3, and the security of the communication system can be improved.

  In the first embodiment, when a multicast IP packet is transferred from the WAN 5 in which the VLANs 51-1 to 51-3 are constructed, the VLANs 51-1 to 51-3 that have received the multicast IP address, Since the destination of the multicast IP packet is selected based on the multicast group address of the IP packet and the multicast routing table 144, the communication terminals 31-1 to 31-3 on the LAN 3 side incorrectly identify the multicast IP packet. Can be prevented from being received, and unnecessary IP packets are not transferred, so that an increase in traffic due to multicast communication in the LAN 3 can be suppressed and the performance as a communication system can be improved. That.

  In the first embodiment, since the MAC address or the IP address is used as the terminal identifier in the routing information of the multicast routing table 144 and the routing table 145 used when selecting the forwarding destination of the IP packet, the terminal identifier indicates The port table 147 is stored in the storage unit 14 in order to select the communication terminals 31-1 to 31-3 and the ports 15-1 to 15-4 that accommodate the VLANs 51-1 to 51-3 indicated by the VLAN identifiers. However, when port identifiers are used for the route information in the multicast routing table 144 and the routing table 145, the ports 15-1 to 15-4 for transmitting IP packets can be recognized, so the port table 147 is unnecessary. It becomes.

  In the first embodiment, the terminal information of the plurality of communication terminals 31-1 to 31-3 can be registered in the route information of the multicast routing table 144, and is registered in the destination multicast group information. Since the multicast group address does not necessarily require the longest match search, the multicast routing table 144 and the routing table 145 are separated. However, because the multicast group address and other addresses are separated in the IP address system, the multicast routing table is not necessarily multicast routing. The table 144 and the routing table 145 do not need to be separated, and may be a single table.

Embodiment 2. FIG.
A second embodiment of the present invention will be described with reference to FIG. Some typical gateway apparatuses have a bridge connection function in which a plurality of interfaces (ports) are connected at layer 2, and layer 3 has a bridge connection function for handling the plurality of ports as a single unit. In the second embodiment, a case where the present invention is applied to a gateway device having a bridge connection function will be described.

  FIG. 13 is a diagram showing a configuration of a gateway device that is a network relay device according to Embodiment 2 of the present invention, and a configuration of a communication system to which the gateway device is applied. The communication system shown in FIG. 13 includes a gateway device 1a instead of the gateway device 1 of the communication system of the first embodiment shown in FIG. The gateway device 1a includes an IGMP proxy processing unit 12a instead of the IGMP proxy processing unit 12 of the gateway device 1, and a bridge 16 is further added. In addition, the same code | symbol is attached | subjected to the component which has the same function as the communication system and gateway apparatus 1 shown in FIG. 1, and the overlapping description is abbreviate | omitted.

  The gateway device 1a has a configuration in which ports 15-1 to 15-3, which are interfaces on the LAN 3 side, are bridge-connected, and the bridge 16 connects the ports 15-1 to 15-3 in layer 2, and the port 15-1 Processing related to layer 2 of frames to be transmitted / received via ˜15-3 is performed. As a result, in Layer 3, the authentication processing unit 11, the IGMP proxy processing unit 12a, and the routing processing unit 13 in the gateway device 1a have a single interface (port) without identifying the ports 15-1 to 15-3. Will be treated as

  In addition to the function of the IGMP proxy processing unit 12, the IGMP proxy processing unit 12a has a snooping function for specifying the reception interface of the IGMP message in the IGMP communication that is layer 3 communication. In the gateway device 1a, the ports 15-1 to 15-3 are connected by layer 2 through the bridge 16, and IGMP communication (transmission of a multicast group inquiry request to the communication terminals 31-1 to 31-3 on the LAN 3 side) is performed as layer 3 communication. When receiving a multicast group join request and a multicast group leave request), the ports 15-1 to 15-3 become a single interface. For this reason, the IGMP proxy processing unit 12a collects information on the reception group in the bridge of the IGMP message and the multicast group to which the communication terminals 31-1 to 31-3 on the LAN 3 side participate by the snooping function.

  The operation of the gateway device 1a of the second embodiment is almost the same as that of the gateway device 1 of the first embodiment, and the only difference is that the IGMP message receiving interface is specified by the snooping function. Therefore, description of the operation is omitted here.

  As described above, in the second embodiment, the IGMP proxy processing unit 12 snoops the layer 2 connection in the bridge 16 and transmits the multicast join request and / or the multicast leave request, and the communication terminals 31-1 to 31-31. -3 and the multicast group are extracted, the ports 15-1 to 15-3 accommodating the communication terminals 31-1 to 31-3 on the LAN3 side are connected at layer 2, and in layer 3, Even when 15-1 to 15-3 have a bridge function to be handled as a single interface, the communication terminals 31-1 to 31-31 are connected to the communication terminals 31-1 to 31-3 participating in the multicast group. 3 and forwarding only multicast IP packets from VLANs 51-1 to 51-3 whose connections are authenticated Possible, and it is possible to improve the security of the communication system.

  As described above, the network relay device according to the present invention is useful when a LAN and a WAN are used as different networks to be interconnected. In particular, a communication device connected to the LAN side is logically connected to each communication device. It is suitable for a communication system connected to different separated WANs.

It is a figure which shows the structure of the gateway apparatus which is a network relay apparatus of Embodiment 1 in this invention, and the structure of the communication system to which a gateway apparatus is applied. It is a figure which shows the structure of the connection information table which the memory | storage part of the gateway apparatus shown in FIG. 1 memorize | stores. It is a figure which shows the structure of the authentication information table which the memory | storage part of the gateway apparatus shown in FIG. 1 memorize | stores. It is a figure which shows the structure of the multicast participating state information table which the memory | storage part of the gateway apparatus shown in FIG. 1 memorize | stores. It is a figure which shows the structure of the interface table which the memory | storage part of the gateway apparatus shown in FIG. 1 memorize | stores. It is a figure which shows the structure of the multicast routing table which the memory | storage part of the gateway apparatus shown in FIG. 1 memorize | stores. It is a figure which shows the structure of the port table which the memory | storage part of the gateway apparatus shown in FIG. 1 memorize | stores. It is a figure which shows the structure of the routing table which the memory | storage part of the gateway apparatus shown in FIG. 1 memorize | stores. It is a flowchart for demonstrating the operation | movement of the authentication process including the registration process of the authentication information table of the gateway apparatus of Embodiment 1 in this invention. It is a flowchart for demonstrating the operation | movement of the registration process of the multicast participating state table and multicast routing table of the gateway apparatus of Embodiment 1 in this invention. It is a flowchart for demonstrating the operation | movement of the deletion process of the multicast participation state table and multicast routing table of the gateway apparatus of Embodiment 1 in this invention. It is a flowchart for demonstrating the operation | movement of the transfer process of the IP packet of the gateway apparatus of Embodiment 1 in this invention. It is a figure which shows the structure of the gateway apparatus which is a network relay apparatus of Embodiment 2 in this invention, and the structure of the communication system to which a gateway apparatus is applied.

Explanation of symbols

1,1a Gateway device 3 LAN
5 WAN
DESCRIPTION OF SYMBOLS 11 Authentication process part 12 IGMP proxy process part 13 Routing process part 14 Memory | storage part 15-1, 15-2, 15-3, 15-4 Port 31-1, 31-2, 31-3 Communication terminal 51-1, 51 -2, 51-3 VLAN
141 Connection Information Table 142 Authentication Information Table 143 Multicast Participation Status Information Table 144 Multicast Routing Table 145 Routing Table 146 Interface Table 147 Port Table

Claims (6)

The communication terminal is disposed between a first network to which one or a plurality of communication terminals are connected and a second network in which a plurality of virtual networks are constructed, and the communication terminal is connected to at least one of the plurality of virtual networks. the an authentication processing section for authenticating, on the basis of the authentication result by the authentication processing unit, the network relay device that connects said communication terminal in said virtual network,
An authentication information table in which a virtual network whose connection is authenticated by the authentication processing unit is registered in association with the communication terminal;
An interface table in which a reception interface of the IP packet and a virtual network are registered in association with each other ;
When a multicast participation registration requesting participation in a multicast group corresponding to the multicast including a multicast address is received from the communication terminal, the authentication table is searched and the communication terminal that is the transmission source of the multicast participation registration is searched. An IGMP proxy processing unit that extracts a corresponding virtual network and generates a multicast routing table for associating and holding the communication terminal, the multicast address, and the extracted virtual network;
When the IP packet received from the second network is a multicast IP packet, a virtual network corresponding to the receiving interface is obtained based on the identification information of the receiving interface included in the IP packet and the interface table. A routing processing unit that searches the multicast routing table based on the acquired virtual network and a multicast address included in the received IP packet, and forwards the IP packet to the communication terminal obtained by the search ; ,
A network relay device comprising: When receiving a multicast leaving request including a multicast group leaving from the communication terminal, extract a virtual network registered in the authentication information table in association with the communication terminal that transmitted the multicast participation request, from the multicast routing table, Deleting the extracted virtual network and the communication terminal that has transmitted the multicast join request registered in association with the multicast group included in the multicast leave request;
The network relay device according to claim 1 . The authentication processing unit
After authenticating the connection to the virtual network by a participation request from the communication terminal, registering the virtual network whose connection is authenticated in association with the authenticated communication terminal in the authentication information table;
The network relay device according to claim 1 or 2 . The authentication processing unit
Deleting a communication terminal that has transmitted the withdrawal request and a virtual network associated with the terminal from the authentication information table in response to a withdrawal request from the communication terminal;
The network relay device according to any one of claims 1 to 3 . The network relay device according to any one of claims 1-4, characterized in that it further comprises the first bridge interface Layer 2 connection for accommodating the communication terminals of the network. The IGMP proxy processing unit
Snooping a Layer 2 connection in the bridge to extract a communication terminal and a multicast group that transmitted the multicast join request and / or the multicast leave request;
The network relay device according to claim 5 .

Images